I wasn't intending to make this so public so soon - I and gmaxwell are still working on the technical details - but given the huge discussion the block-size issue seems to have spawned I think it'd be good to get the idea out in the open to show people we do have options other than just raising the block size, and those options don't have to be centralized.

Overview

Fidelity-bonded banking allows you to send payments instantly, while still preserving your financial privacy. The recipient of the funds doesn't have access to your financial information, such as where the funds came from, and the bank only knows where the funds came from, not where they went. The system ensures that everyone can effectively audit these banks, and if these audits uncover fraud, that fraud can be cryptographically proven to the world.

Trustbits is what I'm calling my particular implementation of the idea.

Sending Money

Lets look at how it works, starting with how you use it to pay someone:

1) The first step is to make a deposit. You send the bank your Bitcoins, and the bank waits until the payment is confirmed.

2) The bank gives you a receipt for your deposit. To preserve your privacy the receipt is made using a cryptographical technique called Chaum Blind Signatures. The way it works is easiest to understand with an analogy:

a) Write down a very large random number on piece of pressure-sensitive carbon-copy paper.

b) Now put that piece of paper in an unmarked, envelope and give the sealed envelope to the bank.

c) The bank now signs the outside of the envelope, and by doing so, they also sign the pressure sensitive paper inside.

The signature is what makes the receipt valuable. The bank will use multiple signatures, and each type of signature designates that the receipt is worth a given number of Bitcoins, kinda like how we use different types of coins, each worth different amounts. A deposit of 11 Bitcoins might get you a receipt worth 10 Bitcoins, and another receipt worth 1 Bitcoin.

3) Give your receipt to the person you want to pay. They then give the receipt to the bank. The bank checks the signature to make sure the receipt is real - if it is the receipient either gets a new receipt of their own, or the bank can transfer them Bitcoins directly.

Regardless of where the funds go the bank adds the number on the receipt to a list of spent receipts; that way the receipt can only be used once. With a really big random number the probability of two people picking the same number can be astronomically small, just like how the probability of two people picking the same secret key for their Bitcoins is astronomically small.

The bank and the receipient don't know where the funds came from, the receipt is just a signature and a random number. At the same time, because the receipt was in the envelope when it was signed, the bank doesn't know what receipt they signed when they accepted the deposit.

Fraud Proofs

For everything the bank does, they've been signing these receipts with their cryptographic identity. These receipts are really promises, and if the bank ever breaks a promise, the software can create a machine-readable proof that the promise was broken, and that proof can be broadcast to the world.

Bitcoin itself relies on the idea that information is easy to copy, but hard to censor. Fraud proofs will be distributed world wide on a censor-proof P2P network, so if a bank ever commits fraud, such as failing to redeem a valid receipt, everyone will immediately know and their software can immediately stop using that bank.

Fidelity Bonds

While the bank will lose future business, we also want to make the bank lose money now. We do this by forcing the bank to purchase a bond before they start their business; if they commit fraud, they lose their bond. Because the banks funds are all publicly known - they're on the blockchain visible to all - every client will never deposit more funds with the bank than the bond is worth. Even if the owner of the bank wants to close the bank down, it's still in their incentive to behave honestly, keep the bond intact, and resell it to someone else.

Trusted Computing

IBM and a few other companies make special computers that supports a feature called Remote Attestation. The hardware itself is made to be nearly tamperproof with special techniques, similar but more advanced than the ones that keep smartcards secure, and inside the hardware is a mechanism by which anyone can ask the hardware what software is running on it. That software can then be carefully audited by security experts.

Now the owner of the bank can't even take your funds; the software keeps the keys to the funds safe, and the hardware makes sure the software can't be changed without everyone knowing. The manufacturer of the hardware can take your funds, but then they would lose the value of the fidelity bond. Finally these special trusted computers are widely used for all sorts of purposes, including many existing banking applications. If, say, IBM ever created a dishonest one it would have huge ramifications beyond just Bitcoin.

So how do Fidelity Bonds work?

Like Bitcoin, the value of a bond is just something we all agree on; also like a Bitcoin the bond is just information in a computer network. What happens is you create one of these bonds by sacrificing, that is throwing away, Bitcoins in a way linked to your cryptographic identity and the promises the bank agrees to uphold. (the contract)

A bond is only considered to be valid if the bank hasn't broken their contract. The moment they do the bond itself hasn't changed, again, it's just information, but it's worthless know. This is kinda like a reputation: Coca-Cola's name doesn't actually change if they put rat poison into their drinks, but their reputation will still be ruined when people find out.

What happens if the bank suddenly shuts down?

Of course, only the bank can give you your Bitcoins back. However Bitcoin itself has a feature called time-locked transactions. This allows the bank to give you a Bitcoin transaction that won't be valid for some time period, perhaps 6 months, that lets you get your deposit with them back. If the bank suddenly shuts down you'll be able to get your money back after that time. Of course, it'd be better to get it back immediately, but this isn't really any different to how the legal system takes a few months to clean up after a bank failure, except in this case whether or not you get your funds back is governed by math rather than humans.

How can I pay someone who doesn't use the same bank as me?

Centralization is a bad thing - we need it to be possible for many different banks to co-exist. Fortunately with fraud proofs and trusted computing it's possible for software to automatically evaluate the trustworthyness of a bank; humans aren't required. Thus when you send money to someone their client software will evaluate if the transfer is valid automatically regardless of which bank you happen to use. Similarly bank-to-bank transfers can happen automatically too, either by issuing receipts to each other, or by creating a regular Bitcointransaction to settle their debts.

It'll even be possible for you to operate your own bank, although it's expected that most people will just use banks run by others. The fraud shutdown mechanisms will be very fast and very stringent, so if you want to run a bank yourself you run a high risk of losing your fidelity bond if you don't know what you are doing.

What I need from the community to make this happen

Ok, so I need 5,000BTC for a year, I need a team of five programmers, and...

...no seriously, I don't want any of that stuff. Of course I'd be working on Trustbits with more of my time if I could, but competition is healthy and we shouldn't be putting all our hopes in one particular idea for off-chain transactions any more than we should be putting all our hopes in just raising the block size somehow. There are plenty of smart people around here, maybe you've got a better idea than fidelity-bonded banks that I haven't thought of? Maybe you can do a better job of fidelity-bonded banks than I can? Maybe you know how to somehow make Bitcoin scale anyway? The way I see it, we have 2-3 years before the blocksize becomes a serious issue, and if people start working on off-chain transaction projects now, we'll have plenty of good options by that time.

It's also not just a blocksize issue: off-chain transactions can have a lot of advantages by themselves like instant payments and mathematically proven privacy. Regardless of what happens to the blocksize, alternatives to on-chain transactions are healthy and can provide capabilities that Bitcoin itself can't.

For the "Trusted Computing" part, does the bank operator know the bitcoin address private keys and keep a backup?

The private keys are kept secure by the hardware. They get generated within the hardware, and can't leave unless the software lets them.

Backups are still possible too. In reality you would run, say, 3 or 5 of these trusted hardware computers, and either the software would have a mechanism to send the private keys securely to the backups, or you would use n-of-m multisignature transactions; there are a lot of possible options.

Regardless of the whole block-size issue, which I believe can be easily resolved in the future, I agree that there is definitely a need for off-chain transactions because of their speed and privacy. Any company which would want to use Bitcoin doesn't want the whole world to know how much money they make and who their clients are, so a third party to store your Bitcoins is a great idea. That's why we have banks today. Also, I'd like it very much to receive interest on my bitcoins someday.

Your idea seems sound to me, although I'm not quite satisfied by your answer what would happen in case a bank runs off with your money. The time-locked transactions doesn't seem to be very practical (and isn't this feature disabled because of the zero-confirmation risk?) and someone operating a bank would only have to run away once to a tropical island with your money for you to lose it all. Having said that, it seems to me that your idea could be a perfect blueprint for a serious commercial bank to offer Bitcoin-related services.

Your idea seems sound to me, although I'm not quite satisfied by your answer what would happen in case a bank runs off with your money. The time-locked transactions don't seem to be very practical (and isn't this feature disabled because of the zero-confirmation risk?) and someone operating a bank would only have to run away once to a tropical island with your money for you to lose it all. Having said that, it seems to me that your idea could be a perfect blueprint for a serious commercial bank to offer Bitcoin-related services.

Time-locked transactions are not disabled. What is disabled is broadcasting such a transaction over the Bitcoin network when it's still locked. When you transaction reaches it's unlocked time, you're free to broadcast it. Don't get me wrong, it'd suck to have to wait 6 months to get your money back, but the big advantage is if the bank is using, say, trusted computers and they screw up and all the computers (and their backups) stop working, you can still get the money back. (note that part of the bank's contract with you can be that they pay for the fees involved in getting those tx's confirmed if they screw up)

It's the same thing with the "bank runs off with the money scenario" Unlike an on-chain transaction, you can only make it unprofitable because they lose their bond, and because breaking into trusted computers is extremely expensive; the security of the best IBM cryptocard's is rated in terms of how many hundreds of thousands to millions of dollars it would take to hack into one, and that only lets you compromise one bank, not all of them. It's also the same technology that was developed to keep nuclear weapons secure. Finally breaking into one of those trusted computers also takes a lot of time and physical access, so if your time-locked transaction gives you the money back before the attacker succeeds, they haven't gotten anything out of all their hard effort.

I haven't wrapped my head around this, so I'm not sure if it's a great idea yet, but I'm also glad people are in favor of off-chain transaction options. I posted in one of the block size issue threads about Bitcoin Clearing Houses to facilitate such transfers.

The obvious benefits are instant transfers, zero or low fees (revenue could be ad or features supported), and of course awesome scalability.

I note this doesn't centralize things because there is no power to create coins or prevent their transfer as users could revert to the core network. Someone posted skeptically about creating a target for authorities, saying exchanges are a bit of a weak point, but that's not a worry as I see it. The reason Bitcoin exchanges are vulnerable is they convert traditional system currency into bitcoins. With a clearing house everything is digital, and clearing servers could be hosted anywhere in the world.

One question I have about the Fidelity-bonded banks is what is the profit model?

The receiver still has to validate the received funds with the bank, so it isn't really offline? Only in the sense that no bitcoin block network/blockchain is needed.

Absolutely. They're off-chain, not offline.

In fact you have to remember that to be fully audit the bank you need to be running a fully validating node monitoring the blockchain and the transactions coming over the network. This is a big part of why I'm so against increasing the blocksize limit.

One question I have about the Fidelity-bonded banks is what is the profit model?

Transaction fees probably. Where you might pay, say, $2 or even $20/tx for an on-chain transaction, a fidelity-bonded bank could be a penny or two to cover server costs.

The real cost is the time-value of money implied by the fidelity bonds, so banks with the biggest bonds will have to charge more based on the value of that money. For a bank backed 100%, that's probably around 5%/year on your deposits,(1) so I expect people would continue to maintain most of their funds on-chain, and only keep a portion of their savings deposited with banks. Equally if the trusted hardware idea turns out to be secure, the banks don't need to hold fidelity bonds as large.

There also appear to be ways for the Bitcoin network itself to allow you access to your funds, without the banks involvement, but exactly how that might work is still something myself and gmaxwell are thinking about. Essentially you would have the option of redeeming your deposit immediately, and Bitcoin would process that directly. Quite possibly the rules could make those redemptions always have priority over attempts by the bank to move the money elsewhere for any other reason.

1) Remember that the fidelity bonds are denominated in Bitcoins, so changes in the price of Bitcoins don't affect the time-value-of-money implied.

I haven't wrapped my head around this, so I'm not sure if it's a great idea yet, but I'm also glad people are in favor of off-chain transaction options. I posted in one of the block size issue threads about Bitcoin Clearing Houses to facilitate such transfers.

The obvious benefits are instant transfers, zero or low fees (revenue could be ad or features supported), and of course awesome scalability.

I note this doesn't centralize things because there is no power to create coins or prevent their transfer as users could revert to the core network. Someone posted skeptically about creating a target for authorities, saying exchanges are a bit of a weak point, but that's not a worry as I see it. The reason Bitcoin exchanges are vulnerable is they convert traditional system currency into bitcoins. With a clearing house everything is digital, and clearing servers could be hosted anywhere in the world.

One question I have about the Fidelity-bonded banks is what is the profit model?

Ah. I read the following too quickly and thought it mentioned zero fees:

It's also not just a blocksize issue: off-chain transactions can have a lot of advantages by themselves like instant payments and mathematically proven privacy. Regardless of what happens to the blocksize, alternatives to on-chain transactions are healthy and can provide capabilities that Bitcoin itself can't.

In my mind off-chain should mean zero fees, since it should be an improvement, and on-chain already means very low fees.

In my mind off-chain should mean zero fees, since it should be an improvement and on-chain already means very low fees.

Yes, but ultimately someone has to pay for the hardware and security cost of Bitcoin. For 100% of the mining reward were paid by fees, rather than inflation, fees would already have to be about $2USD per transaction.

I can definitely see the fees for fidelity banks being pennies or even hundredths of a penny. There aren't any humans involved, so everything is done automatically with very small marginal costs and relatively low barriers to entry.

Yes, but ultimately someone has to pay for the hardware and security cost of Bitcoin. For 100% of the mining reward were paid by fees, rather than inflation, fees would already have to be about $2USD per transaction.

I can definitely see the fees for fidelity banks being pennies or even hundredths of a penny. There aren't any humans involved, so everything is done automatically with very small marginal costs and relatively low barriers to entry.

I thought that's how Bitcoin already works (the low fee, no humans/low barrier to entry part).

The mining subsidy of coins is to incentivize miners to participate thus securing the network. At the point the subsidy runs out there should be so many transactions on the system that even low fees would make mining worth while. Unless you're including the block size limit issue in the pricing?

Is it possible for everyone to audit the amount of bitcoin held by the bank and the amount of circulating receipts, to make sure they keep full reserve?

Absolutely. The contract the bank publishes will state what address deposits will be held at. When you send funds to the bank, you'll know to only send your Bitcoins to that address. At the same time, anyone can check how many funds are sitting there, either from confirmed transactions, or pending transactions in the mempool.

Banks will be forced to publish accurate audit logs by the protocol, and those logs will reveal exactly how many receipts are in circulation backed by their deposits. Publishing an invalid log will be considered fraud.

The mining subsidy of coins is to incentivize miners to participate thus securing the network. At the point the subsidy runs out there should be so many transactions on the system that even low fees would make mining worth while. Unless you're including the block size limit issue in the pricing?

Right now there aren't enough transactions to be even close to paying for all the mining security we do have. When we hit the block size limit, to pay for the amount of security we have right now IIRC tx fees need to be about $0.1/tx, but if Bitcoin is going to grow we're going to need more security than that.

Incidentally, there are technical reasons why even bank transactions should be forwarding fees to miners, albeit fees that are orders of magnitude less than on-chain transactions. Basically part of what constitutes fraud on the part of the bank would be failing to forward the sum of those fees to miners.

The mining subsidy of coins is to incentivize miners to participate thus securing the network. At the point the subsidy runs out there should be so many transactions on the system that even low fees would make mining worth while. Unless you're including the block size limit issue in the pricing?

Right now there aren't enough transactions to be even close to paying for all the mining security we do have. When we hit the block size limit, to pay for the amount of security we have right now IIRC tx fees need to be about $0.1/tx, but if Bitcoin is going to grow we're going to need more security than that.

I'm not trying to be argumentative, I think Fidelity banks might provide great functionality for privacy if I can wrap my head around it.

But what I was trying to say is Bitcoin is intentionally designed to keep fees either very low or no cost. Let's say there is no block size issue (pretend everyone has T1 lines and near supercomputers for desktops). If this were the case Bitcoin would always have low or zero fees because the coin subsidy pays for network security during years transaction count is small, and by the time that runs out you'll have enough transactions to pay for all the equipment/power costs. Right?

I'm not trying to be argumentative, I think Fidelity banks might provide great functionality for privacy if I can wrap my head around it.

But what I was trying to say is Bitcoin is intentionally designed to keep fees either very low or no cost. Let's say there is no block size issue (pretend everyone has T1 lines and near supercomputers for desktops). If this were the case Bitcoin would always have low or zero fees because the coin subsidy pays for network security during years transaction count is small, and by the time that runs out you'll have enough transactions to pay for all the equipment/power costs. Right?

If that were true, then yes, we could stick to on-chain transactions for everything. But because the current system scales by O(n^2), that is for n transactions, the total cost is n^2, there will be a point when you can't have decentralization and low costs. Trustbits scales by n, so for n transactions, the total cost is still n.

Look at it this way: if Bitcoin became the world's currency, it would need to support something like a hundred thousand transactions every second. You're just not going to have a decentralized system at that scale.

Ten years ago, even Bitcoin at it's current scale would be impossible without a lot of centralization. Unfortunately Moores law is already sputtering, so we're probably not going to get the far faster computers we all want in the future.

Anyway, regardless of who is right, if people don't work on alternatives like Trustbits now, we won't have any options at all in the future.

Hmm. I can see a few issues with this, but before I lay out my reasons I just want to re-emphasize the things Peter and I do agree on - that there can and will be innovative ways of doing transactions that lessen the load on the core Bitcoin network. And whilst I'm not sure Chaum banks are it, I do also agree that trusted computing will have a large role to play in future.

By the way, IBMs trusted computing system is pretty much a dead end these days, it's very hard to obtain the hardware. It was never that good anyway, you had to sign consulting contracts to get the SDKs and other things. Intel/AMD have a much better system and I think x86 PC based remote attestation is the way to go for a lot of reasons. See the XMHF project (trustvisor).

I guess the first and most obvious problem is that Chaum already tried to make Chaum-banks when he first invented his scheme, and it was a failure. That is despite the fact he was highly motivated - he believed his idea would make him a millionaire and be the future of finance. So it's worth examining history to figure out why he failed and whether anything has changed since. This is especially true since the patent on his scheme expired years ago and yet nobody rushed to try again.

Although I hate to bring it up, one problem Chaum had was regulatory. By its very nature a Chaum bank is, well, a bank. This leads to two problems:

1) The fact that it gives its users strong privacy directly contradicts almost all existing banking laws which forbid anonymous accounts. 2) The fidelity bond is a great idea. So great in fact that in some parts of the world (like the EU) have written it into law already. You have to put up a large bond (eg a million euros) in order to issue what they call e-money, electronic cash backed by deposits.

Bitcoin manages to avoid both these problems by virtue of not having any banks, not having any issuer and not being backed by any deposits. Because all transfers are P2P existing laws, which are written on the assumption that all finance revolves around institutions, typically don't apply. Notable exception: rules governing the reporting of large "cash" transactions.

Could you run a Chaum bank on the darknet? I don't think so. Even if the bank has put up a fidelity bond, the temptation to engage in fractional reserve banking would be immense, and could result in a lot of profit before the inevitable bank run. You can't really tell if this is happening because the coins you deposit are expected to be constantly moving as other people cash out their blinded tokens. I don't fully understand the time locking proposal for this reason - the blinded tokens only have value if you can turn them back into Bitcoins again, and that inherently means that your deposit can't be frozen or locked in any way.

I haven't even touched on the issue of fees. Even in the absence of such regulation, I don't think starting such a bank would exactly be easy, if only because of the gigantic bonds required to establish trust in a new player.

Ultimately, Chaum banking failed because it was simply regular banking that offered anonymous accounts, with the twist that you could trust mathematics instead of the Swiss. Even in the absence of laws banning such practices, I don't think it solves the fundamental issues that make banking problematic in todays world, like organizations that become "too big to fail". Bitcoin however does, which is why it's important that we make it scale as well as possible.

I wasn't intending to make this so public so soon - I and gmaxwell are still working on the technical details - but given the huge discussion the block-size issue seems to have spawned I think it'd be good to get the idea out in the open to show people we do have options other than just raising the block size, and those options don't have to be centralized.

Fidelity-bonded banking allows you to send payments instantly, while still preserving your financial privacy. The recipient of the funds doesn't have access to your financial information, such as where the funds came from, and the bank only knows where the funds came from, not where they went.

...

The bank gives you a receipt for your deposit. To preserve your privacy the receipt is made using a cryptographical technique called Chaum Blind Signatures.

...

The signature is what makes the receipt valuable.

...

Regardless of where the funds go the bank adds the number on the receipt to a list of spent receipts; that way the receipt can only be used once. ...

Centralization is a bad thing - we need it to be possible for many different banks to co-exist. Fortunately with fraud proofs and trusted computing it's possible for software to automatically evaluate the trustworthyness of a bank; humans aren't required. Thus when you send money to someone their client software will evaluate if the transfer is valid automatically regardless of which bank you happen to use. ...

It'll even be possible for you to operate your own bank, although it's expected that most people will just use banks run by others.

From a first glance, this proposal sounds very similar to what the OpenTransactions project has implemented. (see the highlighted parts above)

Unfortunately I hadn't the time to look into any details regarding OpenTransactions, but as far as I know, they have a server already running and just need help to create a more understandable client front-end plus they need an entrepreneur to turn this into a real business. At least that is the state of affairs I recall from their posts.

From reading your proposal, I get the impression that you have focussed more on the trust part, how that could be organised, and how automated verification could work. Maybe this proposal could complement what the Open Transaction folks have achieved.

So my question is, since you're probably way more knowledgeable in this field:How does this proposal relate to Open Transactions, what do you intend to do different, what are the similarities?

Your idea seems sound to me, although I'm not quite satisfied by your answer what would happen in case a bank runs off with your money. The time-locked transactions don't seem to be very practical (and isn't this feature disabled because of the zero-confirmation risk?) and someone operating a bank would only have to run away once to a tropical island with your money for you to lose it all. Having said that, it seems to me that your idea could be a perfect blueprint for a serious commercial bank to offer Bitcoin-related services.

Time-locked transactions are not disabled. What is disabled is broadcasting such a transaction over the Bitcoin network when it's still locked. When you transaction reaches it's unlocked time, you're free to broadcast it. Don't get me wrong, it'd suck to have to wait 6 months to get your money back, but the big advantage is if the bank is using, say, trusted computers and they screw up and all the computers (and their backups) stop working, you can still get the money back. (note that part of the bank's contract with you can be that they pay for the fees involved in getting those tx's confirmed if they screw up)

It's the same thing with the "bank runs off with the money scenario" Unlike an on-chain transaction, you can only make it unprofitable because they lose their bond, and because breaking into trusted computers is extremely expensive; the security of the best IBM cryptocard's is rated in terms of how many hundreds of thousands to millions of dollars it would take to hack into one, and that only lets you compromise one bank, not all of them. It's also the same technology that was developed to keep nuclear weapons secure. Finally breaking into one of those trusted computers also takes a lot of time and physical access, so if your time-locked transaction gives you the money back before the attacker succeeds, they haven't gotten anything out of all their hard effort.

All right, in that case I'm convinced. Obviously it has to be tried and tested, but I think the idea itself is awesome. I've thus far imagined that the traditional banking system would have to step in to offer the same kind of services they're doing right now with fiat money, but if you're able to realize this, then Bitcoin would become even more of a game changer than it already is going to be.

Ten years ago, even Bitcoin at it's current scale would be impossible without a lot of centralization. Unfortunately Moores law is already sputtering, so we're probably not going to get the far faster computers we all want in the future.

Aha, can you walk me through what you think ten years ago would look like? Let's say the year 2000:

Quote:

I bought a new Gateway desktop in 2000 It had windows ME.10 GB hard drive, 860 processor. Also at that time I was on dial up.Boy, you talk about speed. I didn't have it.

I ask because I believe I have a solution to the block size issue, which I plan to post next week. However, the issue of large volume of transactions is still going to be interesting to structure.